Secure and differentiated delivery of network security information

ABSTRACT

The present invention is directed to a facility for distributing network security information. The facility receives network security information and recipient selection information specifying a characteristic of perspective recipients to be used in selecting recipients for the security information. The facility then compares the received recipient selection information to each of a plurality of perspective recipient profiles. Each perspective recipient profile corresponds to one or more perspective recipients and indicates one or more characteristics of the perspective recipients relating to the receipt of network security information. Based upon this comparison, the facility selects at least a portion of the plurality of perspective recipients as recipients of the network security information, and addresses the network security information to each of the selected recipients.

TECHNICAL FIELD

The present invention is directed to the field of computer networking,and more particularly, to the fields of network security and informationdelivery.

BACKGROUND OF THE INVENTION

As computer systems become more ubiquitous, it becomes increasinglycommon for computer systems to be connected together in computernetworks, such as the Internet. Such increased connectivity betweencomputer systems provides significant benefits by enabling the exchangeof useful information between users of connected computer systems.

Unfortunately, increased connectivity between computer systems alsocreates significant hazards. Malicious or careless users can oftennegatively affect target computer systems to which their computersystems are connected by, for example: misappropriating, deleting, ormodifying important and/or valuable data; misappropriating valuableservices; or temporarily or permanently impairing the operation of thecomputer system. While the hardware and software comprising a computersystem is generally designed to prevent these sorts of “attacks,” it isnonetheless often possible for outsiders to discover and exploitvulnerabilities in particular hardware, software, or both.

In order to secure their computer systems against such hazards, usersand system administrators often seek one-on-one assistance from networksecurity experts. Unfortunately, the scarcity of such experts and thesignificant costs of retaining them make them inaccessible to many usersand system administrators. This is exacerbated by the ongoing discoveryof new target computer system vulnerabilities and the development ofincreasingly sophisticated forms of attacks.

In view of the need by many users and system administrators for promptand ongoing assistance in securing their computer systems, an automatedsystem for securely distributing security-related information fromnetwork security experts to a substantial number of recipientsautomatically selected from a list of subscribers based upon theirsecurity characteristics would have significant utility.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a network diagram showing the connection of computer systemsinvolved in the delivery of distributions by the facility.

FIG. 2 is a network diagram showing a typical secured network operatedby a subscriber.

FIG. 3 is a high-level block diagram of the addressing computer system.

FIG. 4 is a high-level block diagram of a typical delivery computersystem.

FIG. 5 is a high-level block diagram of a typical network securitymanagement workstation operated by a subscriber.

FIG. 6 is a flow diagram showing the steps preferably performed by thefacility in the subscriber registration program.

FIG. 7 is a display diagram showing a web page for solicitinginformation about a new subscriber.

FIGS. 8A-8B are data structure diagrams showing typical contents of thesubscriber information database.

FIG. 9 is a flow diagram showing the steps preferably performed by thefacility in the addressing program.

FIG. 10 is a data structure diagram showing a distribution containinginformation.

FIG. 11 is a data structure diagram showing a distribution containingcode.

FIG. 12 is a data structure diagram showing a distribution containingnetwork security data.

FIG. 13 is a data structure diagram showing typical contents of theaddressed distribution database.

FIG. 14 is a flow diagram showing the steps preferably performed by thefacility in the subscriber request processing program.

FIG. 15 is a data structure diagram showing the contents of a pollingrequest sent from the client at a subscriber to a delivery computersystem.

FIG. 16 is a data structure diagram showing a response to a clientrequest transmitted from the delivery computer system receiving theclient request to the client transmitting the client request.

FIG. 17 is a flow diagram showing the steps preferably performed by thefacility in the client program.

FIG. 18 is a display diagram showing the display of a visual alert.

FIG. 19 is a display diagram showing the display of a distributioncontaining information.

FIG. 20 is a display diagram showing the display of a software updatedistribution containing code.

FIGS. 21-23 are display diagrams showing the display of a threatresponse distribution.

FIG. 24 is a flow diagram showing the steps preferably performed by thefacility in a secure subscriber email program preferably executing on anencrypted mail server among the distribution computer systems.

FIG. 25 is a data structure diagram showing an email distributiontransmitted from the encrypted email server computer system to a networksecurity management workstation at a client.

FIG. 26 is a flow diagram showing the steps preferably performed by thefacility in an encrypted email version of the client program.

DETAILED DESCRIPTION OF THE INVENTION

The present invention provides a software facility for the secure anddifferentiated delivery of network security information (“the facility”)to support a network security information service. In a preferredembodiment, the facility selects addressees for a particular instance ofnetwork security information (a network security information“distribution”) based on security characteristics of subscribers towhich the distribution relates, securely and reliably delivers thedistribution to each selected addressee, and enables a user at thesubscriber to promptly and conveniently review and act on thedistribution.

Distributions are preferably prepared by a team of network securityexperts. A distribution may contain information, such as textualinformation, for review by a network security administrator. Forexample, the distribution could contain information describing anewly-discovered form of network attack, and explain how networksecurity equipment or software already being used by the subscriberprotects the subscriber from such attacks. A distribution may alsocontain software. Such software can include both software designed toexecute once to ensure that the subscriber's network is protected from acertain type of attack, or new or updated network security software thatexecutes continuously to ensure the security of the subscriber'snetwork. A distribution may also contain data used for network securitypurposes. For example, where a subscriber uses a particular networksecurity device that operates based upon a set of security rules, adistribution to the subscriber may contain additional rules to be addedto the set used by the network security device.

Because some distributions are only useful to subscribers having certainsecurity characteristics, such as those having a particular networksecurity device, the facility preferably selects addressees for eachdistribution from the subscribers registered with the network securityinformation service. In this regard, the facility preferably uses asubscriber information database that stores information about eachsubscriber registered with the network security information service. Forexample, the subscriber database may contain, for each subscriber, anindication of the types of network security equipment, network securitysoftware, and applications used by the subscriber. When the facilityreceives a new distribution, it preferably receives with it anaddressing query designed to select addressees for the distribution. Thefacility performs the addressing query against the subscriberinformation database to select addressees of the distribution. Byselecting addressees for a distribution (or “addressing” thedistribution), the facility maximizes the extent to which eachregistered subscriber receives the distributions that relate to it, andminimizes the extent to which each registered subscriber receivesdistributions that do not relate to it. Also, by directly controllingthe set of addressees, the facility ensures that distributions are notdelivered to parties other than subscribers.

After the distribution is addressed to addressees among the registeredsubscribers, the facility attempts to deliver the distribution to eachof the addressees to which the distribution is addressed. The facilitymay preferably deliver distributions either by secure email sent fromthe network security information service to the addressees, or using aclient polling procedure in which a client program at each subscriberperiodically polls a server maintained by the network securityinformation service for new distributions addressed to its subscriber.In order to implement the client polling procedure, in certainembodiments, the facility utilizes BackWeb Foundation software,available from BackWeb Technologies of San Jose, Calif. For emaileddistributions, a verified email address for the subscriber is preferablyused. For distributions delivered by the client polling procedure,polling requests from the client preferably include a secret uniqueidentifier issued to the subscriber, encrypted using public keyencryption. These measures help ensure that the distribution isdelivered only to the subscribers to which it is addressed.

During delivery, each distribution is preferably encrypted to preventanyone intercepting the distribution from discerning its content. Eachdistribution is preferably also signed in way that reliably indicatesboth (1) the source of the distribution, and (2) the contents of thedistribution when the distribution left its source. This signature ispreferably used by a component of the facility executing at eachsubscriber to ascertain whether each distribution (1) is from thenetwork security information service or another trusted source and (2)has not been altered since it left that source. The subscriber componentof the facility preferably only allows the subscriber to make use ofdistributions meeting both of these conditions.

The client program of the facility preferably also alerts a user at thesubscriber as soon as a distribution is received, displays informationabout the distribution, and facilitates the application of thedistribution to enhance the level of security of the subscriber'snetwork.

FIG. 1 is a network diagram showing the connection of computer systemsinvolved in the delivery of distributions by the facility. Distributionsare initially received in a network security information addressingcomputer system (“addressing computer system”) 110 operated by thenetwork security information service. For each distribution, theaddressing computer system 110 determines a list of addressees for thedistribution, and forwards this list of addressees along with thedistribution to a number of network security information deliverycomputer systems (“delivery computer systems”) operated by the networksecurity information service, such as delivery computer systems 121-123.The addressing computer system is preferably connected to the deliverycomputer systems by a secure network 111, such as a physically securenetwork or a virtual private network. The delivery computer systems areconnected via the Internet 130 to a number of subscriber networksecurity management workstations at subscriber sites, such as subscribernetwork security management workstations 141-144. Using one of theapproaches described below, the delivery computer systems deliver thedistribution to each of the subscriber computer systems to which thedistribution is addressed. The delivery computer systems are preferablydistributed geographically in accordance with the geographicdistribution of subscribers.

FIG. 2 is a network diagram showing a typical secured network operatedby a subscriber. A secured network 260 is connected to the Internet 230by a network security device 250, such as a WatchGuard Firebox IInetwork security device available from WatchGuard Technologies, Inc. ofSeattle, Wash. The network security device 250 protects computer systemsof the subscriber by controlling the traffic that can flow between theInternet 230 and protected computer systems of the subscriber, such asprotected computer systems 241, 261, 262, and 263. Among the protectedcomputer systems is a network security management workstation computersystem 241. The network security management workstation computer system241 is designated to receive distributions delivered by the facility.The network security device 250 also preferably provides partialprotection to partially protected computer systems of the subscriber,such as computer systems 271 or 272 in a partially secured network 270.Typically, partially protected computer systems provide a service suchas web serving that requires a less restricted connection to theInternet.

FIG. 3 is a high-level block diagram of the addressing computer system.The addressing computer system 300 contains one or more centralprocessing units (CPUs) 310, input/output devices 320, and a volatilecomputer memory/persistent storage device (memory) 330. Among theinput/output devices is a network connection 321, through which theaddressing computer system 300 may communicate with other connectedcomputer systems; and a computer-readable media drive 322, which can beused to install software products, including portions of the facility,which are provided on a computer-readable medium, such as a CD-ROM. Thememory 330 preferably contains a subscriber information database 331containing information about each registered subscriber. As is discussedfurther below, this information includes security characteristics of thesubscriber that are used to determine whether to deliver particulardistributions to the subscriber. The memory 330 preferably furthercontains a portion of the facility called the “addressing program” 332,which receives distributions and uses the subscriber informationdatabase 331 to address the distributions to subscribers. It will berecognized by those skilled in the art that portions of the contentsshown in memory 330 may be maintained in the volatile memory device, ona persistent storage device, or both, depending upon the state of theaddressing computer system at any given time.

FIG. 4 is a high-level block diagram of a typical delivery computersystem. The delivery computer system 400 has CPUs 410 and input/outputdevices 420 similar to the addressing computer system. The memory 430 ofthe delivery computer system contains a portion of the facility calledthe “subscriber registration program” 433, which registers newsubscribers with the network security information service. The memory430 further contains a database 434 of addressed distributions or use indelivering distributions. The memory 430 also contains a portion of thefacility called the “subscriber request processing program” 435 whichdelivers distributions addressed to a particular subscriber when apolling request is received from that subscriber.

FIG. 5 is a high-level block diagram of a typical network securitymanagement workstation operated by a subscriber. The CPUs 510 of thenetwork security management workstation 500 are similar to those of theaddressing computer system. The input/output devices 520 of the networksecurity management workstation, in addition to a network connection 521and a computer-readable media drive 522, include a display device 523for displaying visual information, such as a video monitor; a pointingdevice 524 for selecting positions within displayed information, such asa mouse; and an audio output device 525 for outputting audioinformation, such as a speaker. The memory 530 of the network securitymanagement workstation includes a portion of the facility called the“client program” 536, which polls for, receives, and processesdistributions. The memory 530 also contains a network securitymanagement program 537 that manages the security of the subscriber'snetwork, preferably in conjunction with the network security device. Thememory 530 preferably further contains network security management data538, such as network security rules, used by the network securitymanagement program 537.

While the facility is preferably implemented on computer systemsconfigured as described above in conjunction with FIGS. 1-5, thoseskilled in the art will recognize that it may also be implemented oncomputer systems having different configurations. Those skilled in theart will further recognize that various functionalities of the facilitymay be distributed across multiple computer systems in a mannerdifferent from that described above in conjunction with FIGS. 1-5.

FIG. 6 is a flow diagram showing the steps preferably performed by thefacility in the subscriber registration program. The subscriberregistration program is preferably executed on each of the deliverycomputer systems. In step 601, the facility serves a web page to thenetwork security management workstation of a new subscriber thatsolicits information about the subscriber. FIG. 7 is a display diagramshowing such a web page. The web page 710, which is displayed in a webbrowser window 700, contains fields 720 that can be used by a user atthe subscriber to provide information about the subscriber.

Returning to FIG. 6, in step 603, the facility downloads to the networksecurity management workstation the latest version of the clientprogram. In step 604, the facility forwards the subscriber informationto the addressing computer system for storage in the subscriberinformation data base. After step 604, these steps conclude.

FIGS. 8A and 8B are data structure diagrams showing typical contents ofthe subscriber information database. The contents of the subscriberinformation database are used by the facility to address distributionsto the appropriate subset of subscribers.

FIG. 8A shows a primary subscriber information database table in whichsubscriber information is stored. The primary subscriber informationdatabase table 800 contains a number of rows, such as rows 811-813, eachrepresenting a different subscriber. Each row is divided into columnsrelating to different types of information, such as column 801containing a subscriber identifier uniquely identifying the subscriber,column 802 containing an indication of the type of primary networksecurity device used by the subscriber, column 803 containing anindication of the version of the network security software used by thesubscriber, column 804 indicating the contract type of the subscriberindicating the level of service to be provided to the subscriber, andcolumn 805 contain the maximum permissible level of encryption that canbe provided to the subscriber.

FIG. 8B shows a secondary subscriber information database table in whichadditional subscriber information is stored. In particular, thesecondary subscriber information database table includes subscriberinformation relating to supplemental attributes not represented in theprimary subscriber information database table. The secondary subscriberinformation database table 850 contains a number of rows, such as rows861, 862, 863, and 871, each representing a different subscriberattribute. Each row of the secondary subscriber information databasetable is divided into the following columns: a subscriber identifier 851of a subscriber having a supplemental attribute; a subscriber attributecolumn 852 containing an indication of the supplemental attribute of thesubscriber to which the row relates; and an attribute value column 853containing the value of that attribute. For example, row 861 indicatesthat the subscriber having subscriber identifier 1516 has the value “MSExchange” for the supplemental attribute “application,” or that thissubscriber uses the MS Exchange application. While the subscriberinformation database is shown in this form in order to facilitate anappreciation for its contents, those skilled in the art will recognizethat the subscriber information database may be organized in other, moreefficient ways. Those skilled in the art will also recognize thatadditional types of information about each subscriber may be stored inthe subscriber information database and used to address distributions.

FIG. 9 is a flow diagram showing the steps preferably performed by thefacility in the addressing program. The addressing program preferablyexecutes on each of the addressing computer systems. In step 901, thefacility receives a distribution, also known as an “instance of networksecurity information.” With the distribution, the facility receives anaddressing query reflecting the subset of subscribers to which thedistribution is to be addressed.

FIGS. 10-12 are data structure diagrams showing sample distributioncontents. FIG. 10 is a data structure diagram showing a distribution1000 containing information, such as textual information, informingsubscribers of the distribution about network security issues. Such adistribution is called an “information alert” distribution. FIG. 11 is adata structure diagram showing a distribution 1100 containing code thatmay be executed by the subscriber to provide enhanced network security.The code may be designed to be executed once upon receipt in order totest and/or modify the state of the security management work stationand/or the network security device. Alternatively, the code may bedesigned for continuous execution on one or both of those computersystems. Such a distribution is called a “threat response” distributionif it addresses a particular newly-identified threat to networksecurity. On the other hand, such a distribution is called a “softwareupdate” distribution if it replaces software that regularly executes onthe security management workstation or network security device with anewer version. FIG. 12 is a data structure diagram showing adistribution 1200 containing network security data. In general, suchdistributions generally address particular threats, and thereforeconstitute a threat response.

Returning to FIG. 9, in step 902, the facility performs the addressingquery against the subscriber information database to produce a list of asubscriber identifiers of subscribers whose subscriber informationmatches the addressing query. These subscribers are called “addressees”of the distribution. In step 903, the facility forwards to the deliverycomputer systems both the distribution and the list of subscriberidentifiers produced in step 902 for storage in the addresseddistribution database maintained by each delivery computer system. Wherea portion of the subscribers identified by the produced subscriberidentifiers have requested to receive distributions via encrypted email,the contents of the distribution and the subscriber identifiers of thesesubscribers are preferably instead transmitted to an encrypted mailserver computer system among the delivery computer systems. After step903, these steps conclude.

FIG. 13 is a data structure diagram showing typical contents of theaddressed distribution database. The addressed distribution database ispreferably stored on each delivery computer system. In the addresseddistribution database 1300, the major rows, such as major rows 1310,1320, and 1330, each correspond to a different distribution. A major rowcontains the contents of a distribution, and one or more minor rows eachcorresponding to a different addressee of the distribution. For example,major row 1310 includes minor rows such as minor rows 1311-1313. Eachminor row contains the subscriber identifier of one addressee of thedistribution indication of the date and time at which the distributionwas delivered to the addressee if the distribution has been delivered tothe addressee. The addressed distribution database is used by eachdelivery computer system to determine whether any distributions havebeen addressed to subscribers that have not yet been delivered. Forexample, if a delivery computer system received a polling request fromthe subscriber having subscriber identifier 2497, the facility would usethe address distribution database to determine that the distributionsrepresented by major rows 1320 and 1330 have not yet been delivered tothis subscriber, as minor rows 1321 and 1331 do not contain a deliverydate.

While the addressed distribution database is shown in this form in orderto facilitate an appreciation for its contents, those skilled in the artwill recognize that the addressed distribution database may be organizedin other, more efficient ways. For example, rather than directlycontaining the distribution contents, the addressed distributiondatabase may contain references to the distribution contents stored inanother location. Further, the addressed distribution database may beindexed by subscriber identifier to facilitate reference into theaddressed distribution database for a particular subscriber.Additionally, the addressed distribution database could be organized inaccordance with each subscriber identifier rather than in accordancewith each distribution.

FIG. 14 is a flow diagram showing the steps preferably performed by thefacility in the subscriber request processing program. In step 1401, thefacility receives a polling request from the program executing on thenetwork security management workstation client at a subscriber. Therequest contains the subscriber identifier of the subscriber and a newsession encryption key generated by the client. The subscriberidentifier and the session key are preferably encrypted with the publickey of the network security information service.

FIG. 15 is a data structure diagram showing the contents of a pollingrequest sent from the client at a subscriber to a delivery computersystem. The client request 1500 contains the target address of therequest—that is, the address of the delivery computer system. The clientrequest 1500 further contains a source address 1502 for the request—thatis, the address of the network security management workstation uponwhich the client is executing. The client request 1500 further containsa section 1505 in which the subscriber identifier 1503 of the subscriberand the session key 1504 generated by the client are encrypted with thepublic key of the network security information service.

Returning to FIG. 14, in step 1402, the facility decrypts the subscriberidentifier and session key using the private key of the network securityinformation service. In step 1403, the facility uses the addresseddistribution database to identify distributions addressed to thesubscriber but not yet delivered to the subscriber. In steps 1404-1410,the facility loops through each distribution identified in step 1403. Instep 1405, the facility computes a one-way function on the contents ofthe distribution. The result of this one-way function is acharacterization of the contents of the distribution. In general, theone-way function produces different results for distributions havingdifferent contents. In step 1406, the facility encrypts the result ofthe one-way function with the private key of the network securityinformation service. In step 1407, the facility attaches the encryptedresult of step 1406 to the contents of the distribution. Then, in step1408, the facility encrypts the distribution and encrypted one-wayfunction result with the session key received from the client. In step1409, the facility transmits the encrypted distribution contents andone-way function result to the client.

FIG. 16 is a data structure diagram showing a response to a clientrequest transmitted from the delivery computer system receiving theclient request to the client transmitting the client request. Theresponse 1600 contains a target address 1601—that is, the address of thenetwork security management workstation on which the requesting clientis executing. The response 1600 further contains a source address1602—that is, the address of the delivery computer system. The response1600 also contains a portion 1607, in which block 1606 is encrypted withthe session key received from the client. Block 1606 in turn containsthe contents of a distribution addressed to the subscriber as well asencrypted block 1604. In encrypted block 1604, the one-way functionresult 1603 is encrypted with the private key of the network securityinformation service. Returning to FIG. 14, in step 1410, if additionalidentified distributions remain to be processed, then the facility loopsback to step 1404 to process the next identified distribution. Afterstep 1410, the steps conclude.

FIG. 17 is a flow diagram showing the steps preferably performed by thefacility in the client program. The client program is preferablyexecuted in the network security management workstation at eachsubscriber. The facility preferably loops through steps 1701-1719 atregular intervals, such as every fifteen minutes. In step 1702, thefacility generates a new session key to use in communicating with thedelivery computer system to which is it assigned. In step 1703, thefacility encrypts the subscriber identifier of the subscriber and thesession key generated in step 1702 with the public key of the networksecurity information service. In step 1704, the facility transmits tothe delivery computer system a polling request for new distributionsaddressed to the subscriber. The request contains the encryptedsubscriber identifier and session key generated in step 1703. In step1705, the facility receives zero or more responses from the deliverycomputer system. Each received response constitutes the delivery of onedistribution.

In steps 1706-1718, the facility loops through each received response.If no response is received, the facility continues in step 1719. In step1707, the facility decrypts the response using the session key generatedin step 1702. In step 1708, the facility uses the public key of thenetwork security information service to decrypt the one-way functionresult contained in the response. In step 1709, the facility recomputesthe one-way function on the distribution contents contained in theresponse. In step 1710, if the one-way function result generated in step1709 matches the one-way function result contained in the response, thenthe facility continues in step 1711 to process the distribution, elsethe facility continues in step 1718. In step 1711, the facility alertsthe user to the arrival of the distribution. In step 1711, the facilitymay display a visual alert, output an audible alert, or both. FIG. 18 isa display diagram showing the display of a visual alert. Visual alert1800 is displayed when a valid distribution is received. In response,the user may press button 1801 to review the distribution, or may pressbutton 1802 to dismiss the visual alert.

Returning to FIG. 17, in step 1712, the facility receives user input todisplay information about the current distribution. FIG. 19 is a displaydiagram showing the display of a distribution containing information.Window 1900 shows the contents of an information alert distribution. Theinformation alert distribution has textual contents 1901 discussing anetwork security issue. Window 1900 further contains button 1909, whichcan be selected to close window 1900.

FIG. 20 is a display diagram showing the display of a software updatedistribution containing code. Window 2000 contains information 2001about updated network security code that is to be installed on thenetwork security management workstation computer system and/or thenetwork security device. Window 2010 contains the code 2011 that is tobe installed, as well as a file 2012 containing additional informationabout the code. In a further preferred embodiment, Window 2000 directlycontains a visual control that may be selected by the user to installthe software update.

FIGS. 21-23 are display diagrams showing the display of a threatresponse distribution. The client displays Window 2100, which containsessential information 2101, 2202, 2303 about the threat and a proposedresponse. Client also displays Window 2110 containing new networksecurity rules 2111 and additional information 2113 to be used inresponding to the threat. In a further preferred embodiment, Window 2100contains a visual control that may be selected by the user in order toactivate the distribution.

Returning to FIG. 17, in step 1713, if the distribution is activatable,then the facility continues in step 1714, else the facility continues instep 1715. In step 1714, the facility displays information about thedistribution with controls for activating and dismissing thedistribution. After step 1714, the facility continues in step 1716. Instep 1715, the facility displays information about the distribution witha control for dismissing the distribution. After step 1715, the facilitycontinues in step 1716. In step 1716, if an activation control isselected, then the facility continues in step 1717 to activate thedistribution, else the dismiss control is selected and the facilitycontinues in step 1718. For distributions containing network securitydata, step 1717 preferably involves storing the security data in aparticular manner on the network security management workstation and/oron the network security device. For distributions containing code, step1717 preferably involves executing and/or installing the code on thenetwork security workstation and/or on the network security device. Instep 1718, the facility loops back to step 1706 to process the nextreceived response. In step 1719, the facility waits until the nextinterval expires, then loops back to step 1701 in order to generate anew polling request. In a further preferred embodiment, in response to auser command, the facility loops back to step 1701 to generate a newpolling request before the expiration of the next interval.

FIGS. 24-26 illustrate the delivery of distributions via encryptedemail. FIG. 24 is a flow diagram showing the steps preferably performedby the facility in a secure subscriber email program preferablyexecuting on an encrypted mail server among the distribution computersystems. In step 2401, the facility receives from the addressingcomputer system the contents of a distribution and a list of subscriberidentifiers for subscribers that are to receive the distribution viaencrypted email. In step 2402, the facility computers a one-way functionon the contents of the distribution. In step 2403, the facility encryptsthe result of the one-way function with the private key of the networksecurity information service. In step 2404, the facility attaches theencrypted result of step 2403 to the contents of the distribution. Insteps 2405-2408, the facility loops through each email addressee in thereceived list of email addressees. In step 2406, the facility encryptsthe results of step 2404 using the public key of the current emailaddressee. In step 2407, the facility transmits an email to the currentaddressee containing the result of step 2406. In step 2408, ifadditional email addressees remain, then the facility loops back to step2405 to process the next email addressee. After step 2408, these stepsconclude.

FIG. 25 is a data structure diagram showing an email distributiontransmitted from the encrypted email server computer system to a networksecurity management workstation at a client. The email distribution ispreferably generated in accordance with steps 2402, 2403, 2404, and 2406discussed above. The email distribution 2500 contains a one-way functionresult 2501, which is encrypted with the private key of the networksecurity information service to form encrypted block 2502. Encryptedblock 2502 and the distribution 2503 are aggregated together in block2504. Block 2504 is in turn encrypted with the public key of theaddressee subscriber to constitute email distribution 2500.

FIG. 26 is a flow diagram showing the steps preferably performed by thefacility in an encrypted email version of the client program. Theencrypted email version of the client program preferably executes on anetwork management workstation at a subscriber. In step 2601, thefacility receives an encrypted email containing a new distribution plusan encrypted one-way function result. In step 2602, the facility usesthe private key of the subscriber to decrypt the email distribution 2500to obtain block 2504. In step 2603, the facility decrypts the encryptedone-way function result 2502 using the public key of the networksecurity information service to obtain the one-way function result 2501.In step 2604, the facility recomputes the one-way function on thecontents of the distribution 2503. In step 2605, if the one-way functionresult generated in step 2604 matches the one-way function result 2501contained in the email, then the facility continues in step 2606 toprocess the distribution, else the facility continues in step 2601 toreceive the next email. In step 2606, the facility alerts the user tothe route of the distribution. In step 2606, the facility may display avisual alert, output an audible word, or both. In step 2607, thefacility receives user input to display information about the currentdistribution. In step 2608, if the distribution is activatable, then thefacility continues in step 2609, else the facility continues in step2610. In step 2609, the facility displays information about thedistribution with controls for activating and dismissing thedistribution. After step 2609, the facility continues in step 2611. Instep 2610, the facility displays information about the distribution withthe control for dismissing the distribution. After step 2610, thefacility continues in step 2611. In step 2611, if an activation controlis selected, the facility continues in step 2612 to activate thedistribution, else the dismiss control is selected and the facilitycontinues in step 2601 to receive the next email. In some embodiments,certain sensitive types of distribution contents are not encloseddirectly in emailed distributions, but rather are enclosed by reference.In particular, the emailed distribution contains a secure http link to asecure http server from which the sensitive contents may be retrieved.In such cases, the facility in step 2612 dereferences the secure httpreference in order to retrieve the sensitive contents via a secure httpfrom the secure http server. After step 2612, the facility continues instep 2601 to receive the next emailed distribution.

While this invention has been shown and described with reference topreferred embodiments, it will be understood by those skilled in the artthat various changes or modifications in form and detail may be madewithout departing from the scope of the invention. For example, thefacility may be implemented across arrangements of computer systemsdifferent than those discussed, and may use other types of encryptionand certification than those discussed. Also, the facility could be usedto distribute other types of related information.

1. A method in a computer system for distributing network securityinformation, comprising: attaching to the network security information asignature that both reliably identifies the origin of the networksecurity information and characterizes the contents of the networksecurity information, the attached signature enabling recipients of thenetwork security information to identify the origin of the networksecurity information and determine whether the network securityinformation has been altered since the signature was attached; receivinga query identifying characteristics of potential network securityinformation recipients that should receive the network securityinformation; from among the multiplicity of potential recipients,selecting a plurality of recipients for the network security informationby performing the query against a recipient profiling data storecontaining information relating to characteristics of each of amultiplicity of potential network security information recipients; andtransmitting the signed network security information to each of theplurality of selected recipients.
 2. The method of claim 1 wherein thenetwork security information is transmitted to a recipient computersystem, further comprising, in the recipient computer system: receivingthe signed network security information; using the signature to identifythe origin of the network security information; using the signature todetermine whether the network security information has been alteredsince the signature was attached; and only if the origin of the networksecurity information is an acceptable origin and it is determined thatthe network security information has not been altered since thesignature was attached, utilizing the network security information. 3.The method of claim 2 wherein the network security information isutilized by displaying the network security information.
 4. The methodof claim 2 wherein the network security information contains a computerprogram, and wherein the network security information is utilized byexecuting the computer program contained by the network securityinformation.
 5. The method of claim 2 wherein the network securityinformation contains data, and wherein the network security informationis utilized by storing the data contained by the network securityinformation in a local data structure.
 6. The method of claim 2, furthercomprising, when the network security information is received,displaying an indication that the network security information has beenreceived.
 7. A computer-readable medium whose contents cause a computersystem to distribute network security information by: attaching to thenetwork security information a signature that both reliably identifiesthe origin of the network security information and characterizes thecontents of the network security information, the attached signatureenabling recipients of the network security information to identify theorigin of the network security information and determine whether thenetwork security information has been altered since the signature wasattached; receiving a query identifying characteristics of potentialnetwork security information recipients that should receive the networksecurity information; from among the multiplicity of potentialrecipients, selecting a plurality of recipients for the network securityinformation by performing the query against a recipient profiling datastore containing information relating to characteristics of each of amultiplicity of potential network security information recipients; andp1 transmitting the signed network security information to each of theplurality of selected recipients.
 8. A method in one or more computersystems for distributing network security information, comprising:receiving network security information; receiving recipient selectioninformation specifying a characteristic of prospective recipients to beused in selecting recipients for the received network securityinformation; comparing the received recipient selection information toeach of a plurality of prospective recipient profiles, each prospectiverecipient profile corresponding to one or more prospective recipientsand indicating one or more characteristics of the prospective recipientsrelating to the receipt of network security information; based upon thecomparison, selecting at least a portion of the plurality of prospectiverecipients as recipients of the network security information; andaddressing the received network security information to each of theselected recipients.
 9. The method of claim 8, further comprisingdelivering the network security information to one of the selectedrecipients to which it is addressed.
 10. The method of claim 9 whereinthe delivery is performed directly in response to addressing the networksecurity information to the selected recipient.
 11. The method of claim9 wherein the delivery is performed directly in response to an inquiryfrom the selected recipient occurring at a time after the networksecurity information is addressed to the selected recipient.
 12. Themethod of claim 11 wherein the inquiry from the selected recipientincludes information reliably identifying the selected recipient, andwherein the delivery is only performed if the selected recipient isdetermined to be among the selected recipients.
 13. The method of claim11 wherein the inquiry is one of a plurality of inquiries issued by theselected recipient at regular intervals.
 14. The method of claim 9,further comprising, before the delivery of the network securityinformation, attaching to the network security information a reliableindication of the origin of the network security information.
 15. Themethod of claim 9, further comprising, before the delivery of thenetwork security information, encrypting the network securityinformation.
 16. The method of claim 8 wherein the network securityinformation and recipient selection information are received from one ormore specialists engaged in analyzing network security threats.
 17. Themethod of claim 8 wherein the network security information is addressedfor delivery to a management computer system associated with eachselected recipient.
 18. The method of claim 8 wherein the networksecurity information is addressed for delivery to a network securitydevice associated with each selected recipient.
 19. The method of claim8 wherein the network security information contains a reference torelated network security information on a secure web server.
 20. Themethod of claim 8 wherein the network security information is anotification of a new network security issue.
 21. The method of claim 8wherein the network security information is usable by at least one ofthe selected recipients to modify the behavior of a network securitydevice associated with the selected recipient.
 22. The method of claim21 wherein the network security information specifies the modificationof software executing on the network security device associated witheach selected recipient to provide network security services.
 23. Themethod of claim 21 wherein the network security information specifiesthe modification of data used by the network security device associatedwith each selected recipient to provide network security services. 24.The method of claim 8 wherein the network security information is usableby at least one of the selected recipients to modify the behavior of anetwork security device associated with the selected recipient to betterprotect the selected recipients against a newly identified networksecurity threat. 25-27. (canceled)
 28. The method of claim 8, furthercomprising, in a recipient computer system: receiving the networksecurity information; and directly in response to receiving the networksecurity information, notifying a user of the recipient computer systemof the receipt of the network security information.
 29. The method ofclaim 28 wherein the user is notified by displaying a visual indicationthat network security information has been received.
 30. The method ofclaim 28 wherein the user is notified by outputting an audibleindication that network security information has been received.
 31. Acomputer-readable medium whose contents cause one or more computersystems to distribute network security information by: receiving networksecurity information; receiving recipient selection informationspecifying a characteristic of prospective recipients to be used inselecting recipients for the received network security information;comparing the received recipient selection information to each of aplurality of prospective recipient profiles, each prospective recipientprofile corresponding to one or more prospective recipients andindicating one or more characteristics of the prospective recipientsrelating to the receipt of network security information; based upon thecomparison, selecting at least a portion of the plurality of prospectiverecipients as recipients of the network security information; andaddressing the received network security information to each of theselected recipients.
 32. The computer-readable medium of claim 31wherein the contents of the computer-readable medium further cause thecomputer systems to deliver the network security information to one ofthe selected recipients to which it is addressed.
 33. Thecomputer-readable medium of claim 32 wherein the delivery is performeddirectly in response to addressing the network security information tothe selected recipient.
 34. The computer-readable medium of claim 32wherein the delivery is performed directly in response to an inquiryfrom the selected recipient occurring at a time after the networksecurity information is addressed to the selected recipient.
 35. Thecomputer-readable medium of claim 34 wherein the inquiry from theselected recipient includes information reliably identifying theselected recipient, and wherein the delivery is only performed if theselected recipient is determined to be among the selected recipients.36. The computer-readable medium of claim 32 wherein the contents of thecomputer-readable medium further cause the computer systems to, beforethe delivery of the network security information, attach to the networksecurity information a reliable indication of the origin of the networksecurity information.
 37. The computer-readable medium of claim 32wherein the contents of the computer-readable medium further cause thecomputer systems to, before the delivery of the network securityinformation, encrypt the network security information.
 38. Thecomputer-readable medium of claim 31 wherein the network securityinformation contains a reference to related network security informationon a secure web server.
 39. The computer-readable medium of claim 31wherein the network security information is a notification of a newnetwork security issue.
 40. The computer-readable medium of claim 31wherein the network security information is usable by at least one ofthe selected recipients to modify the behavior of a network securitydevice associated with the selected recipient.
 41. The computer-readablemedium of claim 40 wherein the network security information specifiesthe modification of software executing on the network security deviceassociated with each selected recipient to provide network securityservices.
 42. The computer-readable medium of claim 40 wherein thenetwork security information specifies the modification of data used bythe network security device associated with each selected recipient toprovide network security services.
 43. The computer-readable medium ofclaim 31 wherein the network security information is usable by at leastone of the selected recipients to modify the behavior of a networksecurity device associated with the selected recipient to better protectthe selected recipients against a newly identified network securitythreat.
 44. An apparatus for distributing network security information,comprising: a receiver component adapted to receive network securityinformation and recipient selection information specifying acharacteristic of prospective recipients to be used in selectingrecipients for the received network security information; a recipientselection component adapted to compare the recipient selectioninformation received by the receiver component to each of a plurality ofprospective recipient profiles, each prospective recipient profilecorresponding to one or more prospective recipients and indicating oneor more characteristics of the prospective recipients relating to thereceipt of network security information, and, based upon the comparison,select at least a portion of the plurality of prospective recipients asrecipients of the network security information received by the receivercomponent; and an addressing component adapted to address the receivednetwork security information to each of the recipients selected by therecipient selection component.
 45. A method in a computer system forreceiving network security information, comprising: periodicallytransmitting a request to a network security information providercomputer system for new network security information, the requestcontaining a reliable identification of the computer system; receivingfrom a network security information provider computer system a responseto a transmitted request, the response containing network securityinformation, the response further having a signature that both reliablyidentifies the source of the network security information andcharacterizes the contents of the network security information when thenetwork security information left the source of the network securityinformation; using the signature to determine whether the source of thenetwork security information is a trusted source; using the signature todetermine whether the network security information has been alteredsince the network security information left the source of the networksecurity information; and only if it is determined both (1) that thesource of the network security information is a trusted source and (2)that the network security information has not been altered since thenetwork security information left the source of the network securityinformation, using the network security information in the computersystem.
 46. A computer-readable medium whose contents cause a computersystem to receive network security information by: periodicallytransmitting a request to a network security information providercomputer system for new network security information, the requestcontaining a reliable identification of the computer system; receivingfrom a network security information provider computer system a responseto a transmitted request, the response containing network securityinformation, the response further having a signature that both reliablyidentifies the source of the network security information andcharacterizes the contents of the network security information when thenetwork security information left the source of the network securityinformation; using the signature to determine whether the source of thenetwork security information is a trusted source; using the signature todetermine whether the network security information has been alteredsince the network security information left the source of the networksecurity information; and only if it is determined both (1) that thesource of the network security information is a trusted source and(2that the network security information has not been altered since thenetwork security information left the source of the network securityinformation, using the network security information in the computersystem.
 47. A computer system for receiving network securityinformation, comprising: a request transmitter adapted to periodicallytransmit a request to a network security information provider computersystem for new network security information, the request containing areliable identification of the computer system; a receiver adapted toreceive from a network security information provider computer system aresponse to a request transmitted by the request transmitter, theresponse containing network security information, the response furtherhaving a signature that both reliably identifies the source of thenetwork security information and characterizes the contents of thenetwork security information when the network security information leftthe source of the network security information; an analyzer adapted touse the signature contained in the response received by the receiver todetermine both (1) whether the source of the network securityinformation is a trusted source and (2) whether the network securityinformation has been altered since the network security information leftthe source of the network security information; and a network securitysubsystem adapted to use the network security information in thecomputer system only if it is determined by the analyzer both (1) thatthe source of the network security information is a trusted source and(2) that the network security information has not been altered since thenetwork security information left the source of the network securityinformation.
 48. A computer memory containing a network securityinformation addressing data structure, comprising: for each of aplurality of addressee candidates, a unique identification of theaddressee candidate; and information about the addressee candidaterelating to criteria for distributing network security information, suchthat, for an instance of network security information specifyingdistribution criteria, the information about the addressee candidatesrelating to criteria for distributing network security informationcontained by the data structure may be used to identify addresseecandidates having the distribution criteria specified for the instanceof network security information, and such that the uniqueidentifications of the addressee candidates contained by the datastructure may be used to indicate the identification of each of theidentified addressee candidates.
 49. A computer memory containing anetwork security information data structure, comprising: networksecurity information usable to automatically modify the behavior of anetwork security device, the network security information having asource; and a signature reliably indicating both the source of thenetwork security information and the contents of the network securityinformation when the network security information left the source, suchthat the signature contained by the data structure may be used todetermine whether to use the network security information contained bythe data structure to automatically modify the behavior of a networksecurity device.
 50. A generated data signal conveying a networksecurity information data structure, comprising: network securityinformation usable to modify the behavior of a network security device,the network security information having a source; and a signaturereliably indicating both the source of the network security informationand the contents of the network security information when the networksecurity information left the source, such that the signature containedby the data structure may be used to determine whether to use thenetwork security information contained by the data structure to modifythe behavior of a network security device.